DNS Exploit Attempts??

Dawn Connelly dawn.connelly at gmail.com
Wed Jul 30 20:01:11 UTC 2008 

True that...but this is most likely the script that was causing the badness
he was seeing: http://www.opennet.ru/dev/fsbackup/src/1.2pl1_to_1.2pl2.diff
It was written by the same guy that owns the IP address space that he was
seeing the . requests coming from. It should still be blacklisted.

On Wed, Jul 30, 2008 at 12:46 PM, Graeme Fowler <graeme at graemef.net> wrote:

> On Wed, 2008-07-30 at 13:08 -0400, Jeff Lightner wrote:
> > Someone had apparently posted on a Fedora forum that seeing the high
> > level of query cache denied was a sign of people trying the exploit but
> > someone else here said it wasn't a symptom of the exploit.
>
> That's not *quite* correct (well, not even correct actually, but that
> sounds churlish).
>
> I said that the addresses listed in the post on the fedora-users list
> were actually directly related to research work being done by Dan
> Kaminsky and/or some people at a .edu connected to him.
>
> The OP of the message fired off in a panic, IMO, without doing any
> homework whatsoever.
>
> > However, on returning to my office I too saw a dramatic increase in the
> > number of these.   If they aren't for the exploit does someone know why
> > they increased?
>
> If you've seen a dramatic increase in log entries, have you done any
> work at all to see where they're coming from? Pound to a penny, if you
> find they're from an educational institution you'll be able to fire off
> an email to someone there (look in WHOIS for the contact details for
> starters) and they'll tell you. If they're from Nigeria, Chinese ISPs,
> Russia, or a bunch of colo/hosting places in the US or Europe (or other
> common malware sources, yours will differ from mine) then they're
> probably scans from less friendly types.
>
> There's an interesting message on the OARCI dnsops list here:
>
> http://lists.oarci.net/pipermail/dns-operations/2008-July/003110.html
>
> [note: the sender of that message is the originator of query-cache scans
> from Georgia Tech IP IPv4 space]
>
> I guess the important message here is: do some homework first. They may
> or may not be malicious, but having an indication either way is good
> before you run into the woods with your shotgun.
>
> Graeme
>
>
>

More information about the bind-users mailing list